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Abstract. Two styles of definitions are usually considered to express that a security 
protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s 
should never be disclosed while equivalence-based secrecy states that two executions of a 
protocol with distinct instances for s should be indistinguishable to an attacker. Although 
the second formulation ensures a higher level of security and is closer to cryptographic 
notions of secrecy, decidability results and automatic tools have mainly focused on the 
first definition so far. 

This paper initiates a systematic investigation of the situations where syntactic se- 
crecy entails strong secrecy. We show that in the passive case, reachability-based secrecy 
actually implies equivalence-based secrecy for digital signatures, symmetric and asymmet- 
ric encryption provided that the primitives are probabilistic. For active adversaries, we 
provide sufficient (and rather tight) conditions on the protocol for this implication to hold. 



Cryptographic protocols are small programs designed to ensure secure communications. 
Since they are widely distributed in critical systems, their security is primordial. In partic- 
ular, verification using formal methods attracted a lot of attention during this last decade. 
A first difficulty is to formally express the security properties that are expected. Even a 
basic property such as confidentiality admits two different acceptable definitions namely 
reachability-based (syntactic) secrecy and equivalence-based (strong) secrecy. Syntactic se- 
crecy is quite appealing: it says that the secret is never accessible to the adversary. For 
example, consider the following protocol where the agent A simply sends a secret s to an 
agent B, encrypted with fTs public key. 



An intruder cannot deduce s, thus s is syntactically secret. Although this notion of secrecy 
may be sufficient in many scenarios, in others, stronger security requirements are desirable. 
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1. Introduction 



A -> B : {s} pub(s) 
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For instance consider a setting where s is a vote and B behaves differently depending on 
its value. If the actions of B are observable, s remains syntactically secret but an attacker 
can learn the values of the vote by watching £Ts actions. The design of equivalence-based 
secrecy is targeted at such scenarios and intuitively says that an adversary cannot observe 
the difference when the value of the secret changes. This definition is essential to express 
properties like confidentiality of a vote, of a password, or the anonymity of participants to 
a protocol. 

Although the second formulation ensures a higher level of security and is closer to 
cryptographic notions of secrecy, so far decidability results and automatic tools have mainly 
focused on the first definition. The syntactic secrecy preservation problem is undecidable 
in general [21], it is co-NP-complete for a bounded number of sessions |31j . and several 
decidable classes have been identified in the case of an unbounded number of sessions [2T] , [TE 1 
[9l [30] . These results often come with automated tools, we mention for example ProVerif [6j, 
Casper [27], CAPSL [19j, and Avispa [5]. 

Many works have been dedicated to proving correctness properties of protocols such 
as strong secrecy using contextual equivalences on process calculi, like the spi-calculus. In 
particular framed bisimilarity has been introduced by Abadi and Gordon [2] for this purpose. 
However it was not well suited for automation, as the definition of framed bisimilarity uses 
several levels of quantification over infinite domains (e.g. set of contexts). In |22] the 
authors introduce fenced bisimilarity as an attempt to eliminate one of the quantifiers. 
Also in [12] , Borgstrom et al propose a sound but incomplete decision procedure based on a 
symbolic bisimulation. Another approach to circumvent the context quantification problems 
is presented in [11] where labelled transition systems are constrained by the knowledge 
the environment has of names and keys. This approach allows for more direct proofs of 
equivalence. In order to get some support for compositional reasoning in this setting, [10] 
extends it with some equational laws. In [20J model-checking techniques for the verification 
of spi-calculus testing equivalence are explored. The technique is limited to finite processes 
but seems to perform well on some examples. The concept of logical relations for the 
polymorphic lambda calculus has also been been employed to prove behavioral equivalences 
between programs that rely on encryption in a compositional manner |33j . 




However, to the best of our knowledge, the only tool capable of verifying strong secrecy 
is the resolution-based algorithm of ProVerif [7] that has been extended for this purpose. 
Proverif has also been enhanced for handling equivalences of processes that differ only in the 
choice of some terms in the context of the applied pi calculus [8]. This allows to add some 
equational theories for modelling properties of the underlying cryptographic primitives. 

Similarly very few decidability results are available for strong secrecy. In the article [24] , 
Hiittel proves decidability for a fragment of the spi-calculus without recursion for framed 
bisimilarity. For recursive processes only a class of ping-pong protocols restricted to two 
principals admits a decidable strong bisimilarity relation |26j. 

Finally, we should mention here some related works based on the concept of non- 
interference [32]. This notion formalizes the absence of unauthorized information flow in 
multilevel computer systems. Non-interference has been widely investigated in the con- 
text of langage-based security (e.g. [MIES])- It can be expressed with process equivalence 
techniques and has been applied also to security protocols in [231 114] . An advantage of 
this approach is that various security properties, including secrecy, can be modeled by se- 
lecting proper equivalence relations. However as far as we know decidability results for 
non-interference properties of security protocols have not been reported. 
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In light of the above discussion, it may seem that the two notions of secrecy are sep- 
arated by a sizable gap from both a conceptual but also from a practical point of view. 
These two notions have counterparts in the cryptographic setting (where messages are bit- 
strings and the adversary is any polynomial probabilistic Turing machine). Intuitively, the 
syntactic secrecy notion can be translated into a similar reachability-based secrecy notion 
and equivalence-based notion is close to indistinguishability. A quite surprising result [18] 
states that cryptographic syntactic secrecy actually implies indistinguishability in the cryp- 
tographic setting. This result relies in particular on the fact that the encryption schemes 
are probabilistic thus two encryptions of the same plaintext lead to different ciphertexts. 

Motivated by the result of [18] and the large number of available systems for syntactic 
secrecy verification, we initiate in this paper a systematic investigation of situations where 
syntactic secrecy entails strong secrecy. Surprisingly, this happens in many interesting cases. 

We offer results in both passive and active cases in the setting of the applied pi 
calculus [lj. We first treat in Section [2] the case of passive adversaries. We prove that 
syntactic secrecy is equivalent to strong secrecy. This holds for signatures, symmetric and 
asymmetric encryption. It can be easily seen that the two notions of secrecy are not equiv- 
alent in the case of deterministic encryption. Indeed, the secret s cannot be deduced from 
the encrypted message {s} pu b(,B) but if the encryption is deterministic, an intruder may try 
different values for s and check whether the ciphertext he obtained using £?'s public key 
is equal to the one he receives. Thus for our result to hold, we require that encryption is 
probabilistic. This is not a restriction since this is de facto the standard in almost all cryp- 
tographic applications. Next, we consider the more challenging case of active adversaries. 
We give sufficient conditions on the protocols for syntactic secrecy to imply strong secrecy 
(Section [3|). Intuitively, we require that the conditional tests are not performed directly 
on the secret since we have seen above that such tests provide information on the value of 
this secret. We again exhibit several counter-examples to motivate the introduction of our 
conditions. An important aspect of our result is that we do not make any assumption on 
the number of sessions: we put no restriction on the use of replication. In particular, our 
result holds for an unbounded number of sessions. 

The interest of our contribution is twofold. First, conceptually, it helps to understand 
when the two definitions of secrecy are actually equivalent. Second, we can transfer many 
existing results (and the armada of automatic tools) developed for syntactic secrecy. For 
instance, since the syntactic secrecy problem is decidable for tagged protocols for an un- 
bounded number of sessions [30J, by translating the tagging assumption to the applied-pi 
calculus, we can derive a first decidability result for strong secrecy for an unbounded num- 
ber of sessions. Other decidable fragments might be derived from [21] for bounded messages 
(and nonces) and [4] for a bounded number of sessions. A first version of this result was 
published in the Proceedings of CSL'06 [17J, with no detailed proofs. In that preliminary 
version, the correspondence result in the active case was only established for symmetric 
encryption. We extend it here to asymmetric encryption and digital signatures. 

2. Passive case 

2.1. Syntax. Cryptographic primitives are represented by function symbols. More specif- 
ically, we consider the signature £ = {enc, dec, enca, deca, pub, priv, (), m, iT2, sign, check, 
retrieve} where the function symbols have arities 3, 2, 3, 2, 1, 1, 2, 1, 1, 2, 3 and 1 respectively. 
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T(S, X, A/"), or simply T, denotes the set of terms built over £ extended by a set of con- 
stants, the infinite set of names J\f and the infinite set of variables X. A term is closed 
or ground if it does not contain any variable. The set of names occurring in a term T 
is denoted by fn(T), the set of variables is denoted by V(T). The positions in a term T 
are defined recursively as usual (i.e. as sequences of positive integers), e being the empty 
sequence. Denote by the set of sequences of positive integers. We denote by T\ p the 
subterm of T at position p and by the term obtained by replacing in U the subterm 

at position p by V. Pos(T) denotes the set of positions of T, Pos v (T) the set of positions of 
variables in T and Pos nv (T) = {p € Pos(T) | T\ p ^ V(T)} the set of non- variable positions 
of T. We may simply say that a term V is in & term U if V is a subterm of U We denote 
by <st (resp. < st ) the subterm (resp. strict) order, hjj denotes the function symbol, name 
or variable at position e in the term U. A substitution is a function that maps variables to 
terms a : X — > T. We write a = { Tl / Xl , ■ ■ ■ Tn /x n } to say that xio = for 1 < i < n and 
xa = x for x ^ x j. The expression Uy/ X \ denotes Ua where a = { v / x }- 
We equip the signature with an equational theory E: 

7ri((zi,z 2 )) = z\ 

n 2 ({zi,Z 2 )) = Z 2 

dec(enc(zi,z 2 , z 3 ), z 2 ) = z x 
deca(enca(zi, pub(z 2 ), z 3 ), priv^)) = z\ 
check^i, signal, priv(z 2 )), pub(z 2 )) = ok 
retrieve(sign(zi, z 2 )) = z\ 

Let TZe be the corresponding rewrite system (obtained by orienting the equations from left 
to right). IZe is convergent. The normal form of a term T w.r.t. TZe is denoted by Tl. 
Notice that E is also stable by substitution of names. As usual, we write U — > V if there 
exists 6, a position p in U and L — > R € TZe such that U\ p = L9 and V = U[R9] P . 

The symbol (_, _) represents the pairing function and 7Ti and ir 2 are the associated pro- 
jection functions. The term enc(M, K, R) represents the message M encrypted with the key 
K. The third argument R reflects that the encryption is probabilistic: two encryptions of 
the same messages under the same keys are different. The symbol dec stands for decryption. 
The symbols enca and deca are very similar but in an asymmetric setting, where pub(a) 
and priv(a) represent respectively the public and private keys of an agent a. We denote by 
enCg (respectively dec g ) a generic encryption (decryption), that is when using it we refer 
to both symmteric and asymmetric encryption (decryption). The term sign (M,K) repre- 
sents the signature of message M with key K. check enables to verify the signature and 
retrieve enables to retrieve the signed message from the signature^! The function symbols 
(),enc,enca and sign are called constructors, while iri, ir 2 , dec, deca, check and retrieve are 
called destructors. 

After the execution of a protocol, an attacker knows the messages sent on the network 
and also in which order they were sent. Such message sequences are organized as frames 
if = vn.a, where a = { Ml / yi , ■ ■ ■ , Ml /y t } is an acyclic substitution and n is a finite set of 
names. We denote dom(^) = dom(a) = {yi, . . . , yi} and ran(c/?) = ran(cr) = {Mi, . . . , Mi}. 
The variables yi enable us to refer to each message. The names in n are said to be restricted 
in ip. Intuitively, these names are a priori unknown to the intruder. The names outside n 
are said to be free in ip. The set of free names occurring in ip is denoted fn(i/?). A term M 



Signature schemes may disclose partial information on the signed message. To enforce the intruder 
capabilities, we assume that messages can always be retrieved out of the signature. 
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is said public w.r.t. a frame vn.a (or w.r.t. a set of names n) if fn(M) n n = and it does 
not use the function symbol priv; in other words if M € T(S\{priv}, X, Af\n). The frame 
or the set of names might be omitted when it is clear from the context. We usually write 
vrii, . . . , nfc instead of v{n±, . . . , n^}. 

2.2. Deducibility. Given a frame tp that represents the history of messages sent during 
the execution of a protocol, we define the deduction relation, denoted by tp h M. Deducible 
messages are messages that can be obtained from tp by applying function symbols and the 
equational theory E. 

— — : x € dom(cr) — - — : m G M\n 

vn.a h xa vn.a h m 

vn.a h Ti • ■ ■ im.o" h T} . ^n.cr hT T =e T' 

— k — rjrf ^ — f r P riv ~ — r^Fi 

vn.a r . . . , i/J i/n.u h i 

Example 1. k and (k,k') are deducible from the frame i^fc, A:', r.{ enc ^ k ' k '' r y x , k '/ y }- 

A message is usually said secret if it is not deducible. By opposition to our next notion 
of secrecy, we say that a term M is syntactically secret in (p if <p \f M. 
We will often use another characterization of deducible terms. 

Proposition 2.1. Let ip = un.a be a frame and M be a term. <p h M if and only if there 
exists a public term T w.r.t. tp such that Ta =e M . 

This is easily proved by induction on the length of the proof of deducibility. 

2.3. Static equivalence. Deducibility does not always suffice to express the abilities of an 
intruder. 

Example 2. The set of deducible messages is the same for the frames (pi = vk,ni,ri2,Ti. 
{ en < ni ' k ' ri) / x , {ni ' n2) / y , k / z } and ip 2 = vk,n 1 ,n 2 ,r 1 .{ enc ( n2 > k ' r2 y x ,( ni > n2 y y , k / z }, while an at- 
tacker is able to detect that the first message corresponds to distinct nonces. In particular, 
the attacker is able to distinguish the two "worlds" represented by <p\ and ip 2 ■ 

We say that a frame (p = vn.a passes the test (U, V) where U, V are two terms, denoted 
by (U = V)<p, if there exists a renaming of the restricted names imp such that (fn(f7) U 
fn(V^)) n n = and Ua =e Va. Two frames ip = vn.a and ip 1 = vfh.a' are statically 
equivalent, written ip ip', if they pass the same public tests, that is, if dom(^) = dom(p') 
and for all public terms U, V w.r.t. p and p' such that (V(U) U V(V)) C dom(^) we have 
(U = V)p if and only if (U = V)<p' . 

Example 3. The frames <p\ and p 2 defined in Example [2] are not statically equivalent since 
(dec(x,z) =ir 1 (y))pi but (dec(x,2;) ^ 7r 1 (y))p 2 - 

Let tp = vn.a be a frame and s e n a restricted name in tp. Let M be a term such that 
fn(M) n n = 0. We denote by p[ M /s] the frame vn.a[ M / s ] obtained by instantiating s with 
M in each term of the substitution a. 

We say that s is strongly secret in tp if for every closed public terms M, M' w.r.t. tp, 
we have tp[ M / s ] tp[ M / s ] that is, the intruder cannot distinguish the frames obtained by 
instantiating the secret s by two terms of its choice. For simplicity we may omit s and 
wr ite tp[M] instead of tp[ M / s ). 
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2.4. Syntactic secrecy implies strong secrecy. Syntactic secrecy is usually weaker than 
strong secrecy! We first exhibit some examples of frames that preserves syntactic secrecy 
but not strong secrecy. They all rely on different properties. 

Probabilistic encryption. The frame ip\ = vs,k,r.{ e " c ( s ' k ' r y x , e " c ( n ' k ' r y y } does not 
preserve the strong secrecy of s. Indeed, ipi[n] ft V'lf 77 -'] since (x = y) ipi[n] but (x 7^ y) t^i[n']. 
This would not happen if each encryption used a distinct randomness, that is if the encryp- 
tion was probabilistic. 

Key position. The frame ip2 = i , s,n.{ e " c ^ n,n ^ s,r ^/x} does not preserve the strong secre- 
cy of s. Indeed, 4>2[k\ ft 1P2W] since (7T2(dec(x, k)) = n') 4>2[k\ but (7T2(dec(x, k)) / n') 4>2[k'\. 
If s occurs in key position in some ciphertext, the intruder may try to decrypt the cipher- 
text since s is replaced by public terms and check for some redundancy. It may occur that 
the encrypted message does not contain any verifiable part. In that case, the frame may 
preserve strong secrecy. It is for example the case for the frame vn.{ enc ^ a ' s,rS, / x }. Such cases 
are however quite rare in practice. 

No destructors. The frame ^3 = vs.^^/x} does not preserve the strong secrecy of 
s simply because (x = k) is true for ^[(k, k')] while not for ^3 [k]. 

Retrieve rule. The retrieve(sign(zi, Z2)) =£1 equation may seem arbitrary since not all 
signature schemes enable to get the signed message out of a signature. It is actually crucial 
for our result. For example, the frame ^4 = ^s.{ slgn ( s ' pnv ( a ))/. E , pub ( a )/j,} does not preserve 
the strong secrecy of s because (check(n, x, y) = ok) is true for ip±\n] but not for ^[n']. 

In the three first cases, the frames preserve the syntactic secrecy of s, that is tpi \f s, 
for 1 < i < 3. In the fourth case, we would also have ^4 V s without the retrieve equation. 

We define agent encryptions as encryptions which use "true" randomness, that is fresh 
names. Note that in the passive case all encryptions are produced by agents and not by the 
intruder. Encryption (as a primitive) is probabilistic if each (instance of the) encryption 
uses a distinct randomness. Next, we define those notions formally. 

We say that an occurrence q eric of an encryption in a term U is an agent encryption 
w.r.t. a set of names n if C/| ?enc -3 € n. We say that an occurrence q enc of an encryption in 
a term U is a probabilistic encryption w.r.t. a set of terms S if no distinct term shares the 
same randomness, that is, for any term V £ S and position p such that V\ p = U\ qeuc .^ we 
have that p = q ■ 3 for some q and V\ q = ^|g enc - 

The previous examples lead us to the following definition. 

Definition 1. A frame ip = vn.o is well-formed w.r.t. some name s if 

(1) any encryption in a is an agent encryption w.r.t. r?\{s} and a probabilistic encryption 
w.r.t. the set of terms of a; 

(2) s is not part of a key or a randomness, i.e. for all enc(M, K, R), enca(M', K', R'), 
sign(Cf, V), pub(VF), priv(W') subterms of 99, s g in(K, K' , V, W, W, R, R'); 

(3) ip does not contain destructor symbols. 

For well- formed frames, syntactic secrecy is actually equivalent to strong secrecy. 
Theorem 2.2. Let ip be a well-formed frame w.r.t. s, where s is a restricted name in ip. 

p Y- s if and only if (p[ M / s ] ~ P>[ M / s ] 
for all M,M' closed public terms w.r.t. ip. 
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Proof. Let ip = vn.a be a well-formed frame w.r.t. s. If ip h s, this trivially implies that s 
is not strongly secret. Indeed, there exists a public term T w.r.t. <p such that Ta =e s, by 
Proposition 12.11 Let n±,n2 be fresh names such that n\,n-2 ^ n and n\,ri2 ^ &i(</j). Since 
^f^Vs] = -B n\ the frames </?[ ni / s ] an d ¥>[ n2 /s] are distinguishable with the test (T = ni). 

We assume now that ip Y s. We first show that any syntactic equality satisfied by the 
frame ¥?[ M / S ] is already satisfied by ip. 

Lemma 2.3. Let ip = un.a be a well-formed frame w.r.t. s G n such that ip Y s. Let 
U , V and M be public terms w.r.t. ip, with V(U),V(V) C dom(o") and M ground. Then 
Ua[ M / s ] = Va[ M / s ] implies Ua = Va. 

This lemma is proved in Subsection 12.51 

The key lemma is that any reduction that applies to a deducible term U where s is 
replaced by some M, directly applies to U. 

Lemma 2.4. Let (p = un.a be a well-formed frame w.r.t. s E n such that ip Y s. Let U be 
a term with V(U) C dom(i^) and M be a closed term in normal form such that U and M 
are public w.r.t. (p. IfUo~[ M / s ] — * V , for some term V , then there exists a frame ip' = vn.o 1 
well-formed w.r.t. s 

• extending ip, that is xo~' = xa for all x G dom(<r), 

• preserving deducible terms: <pYW if and only if ip' h W , 

• and such that V = V'a'[ M / s ] and Ua — > V'a' for some V public w.r.t. ip' . 

This lemma (proved in Subsection 12.51) allows us to conclude the proof of Theorem 12.21 
Fix arbitrarily two public closed terms M,M'. We can assume w.l.o.g. that M and M' 
are in normal form. Let U ^ V be two public terms such that V(U),V(V) C dom(</?) and 
Ua[ M / s ] = E Va[ M / s }. Then there are U%,...,U k and Vi,...,Vi such that Ua[ M / s ] -»• U\ -> 
...^U k , Va[ M / s ] ^V x ^...^V u U k = Ua[ M / s ]i, Vi = Va[ M / s ][ and U k = V h 

Applying repeatedly Lemma 12.41 we obtain that there exist public terms U[,...,U' k 
and V{, . . . , V/ and well-formed frames <pi = un.ai, for i G {1, . . . ,k} and tpj = un.Oj, for 
j G {1, . . . ,1} (as in the lemma) such that Ui = Ulai[ M / s ], Ua — > U[a\, U[oi — > U' i+l ai + \, 
V j = Vj8 J [ M / s },Va^V{0 ia ndVj8 j ^Vj +1 8 j+1 . 

The substitution a k extends a, which means that a k = crUa' k with dom(cr) ndom(c7^) = 
0. Similarly, 6i = a U 9[ with dom(o") fl dom(^) = 0. By possibly renaming the variable 
of 9[ and of the Vj, we can assume that dom(a' k ) fl dom(^) = 0. We consider ip' = un.a' 
where a' = aU a' k U 0[. Since only subterms of ip have been added to cp', it is easy to verify 
that ip' is still a well-formed frame and for every term W we have that <p h W if and only 
if <p' h W. In particular ip' Y s. 

By construction we have that U k a k [ M / s ] = V{6i[ M /s\. Then, by Lemma [273^ we deduce 
that U' k a k = V/Oi that is Ua =e Vc- By stability of substitution of names, we have 
Ua[ M '/ s ] = E Va[ M '/ s ]. We deduce that (p[ M / s ] w p[ M '/ 5 }. □ 

2.5. Generalization of well-formed frames. In the active case, we need a more general 
definition for well-formed frames and for the corresponding lemmas. In particular, we need 
to consider frames with destructor symbols. Thus we provide here the definition of extended 
well-formed frames, show that well-formed frames are special cases of extended well-formed 
(when the frames preserve syntactic secrecy) , and then prove analogue lemmas for extended 
well-formed frames. 
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We say that there is an encryption plaintext- above a subterm T of a term U at position 
qr if there is a position q < qT such that U\ q is a cyphertext, that is hy\ G {enc, enca}. In 
addition, T occurs in the plaintext subterm of the encrypted term, that is q ■ 1 < qT- 

Definition 2. We say that a frame ip = vn.a is an extended well-formed w.r.t. s if (1) all 
the terms of a are in normal form, (2) any agent encryption w.r.t. n in a is a probabilistic 
encryption w.r.t. ran(er), and (3) for every occurrence q s of s in yo~ with y G dom(er), there 
exists an agent encryption (say q e nc) w.r.t. «\{s} plaintext-above s. In addition, (4) the 
lowest agent encryption go plaintext-above s satisfies h ytT \ G {(),sign}, for all positions q 
with qo < q < q s - 

This definition ensures in particular that there is no destructor directly above s. 

Example 4. The frame p = US, k, n .{T 1 (enc(o I enc«6,«),fc,n)),n")/ !Bj encfokV)/^ enc(6,fe',n')/J is ex _ 

tended well-formed, while the frames (p% = vn.{ er,c ( a ' k ' n y y , enc (p,k,n)^y^ ^ 3 = zm.{ enc ( a ' s ' n )/ E }, 
and = us, k, n.{ enc ^ ni ^' k ' n y x } are not, each frame <pi contradicting condition (i). 

We first start by a preliminary lemma which states that in a well-formed frame w.r.t. s, 
either every occurrence of s is under some encryption or s is deducible. 

Lemma 2.5. Let ip = vn.a be a well-formed frame w.r.t. s G n and let q s be an occurrence 
of s in ya for some y G dom(er). If (p Y- s then there is an encryption plaintext- above s, 
that is exists a position q < q s such that ya\ q is a cyphertext, that is h y<7 \ G {enc, enca}. In 
addition, s occurs in the plaintext subterm of the encrypted term, that is q ■ 1 < q s . 

Proof. Assume by contradiction that there is an occurrence of s such that there is no 
encryption plaintext-above s. Then, from Properties [2] and [3] of well-formed frames, we 
have that there are only pairs and signatures as function symbols above s. Hence s is 
deducible (by applying the projections and the retrieve equations). Thus there exists a 
position q < q s such that yo~\ q is an encryption. By Property [2] of well-formed frames, s 
must occur in the plaintext part of the encryption that is q ■ 1 < q s . □ 

Lemma 2.6. Let ip = vn.o be a frame and s a restricted name in ip such that ip Y- s. If p 
is a well-formed frame w.r.t. s then it is an extended well-formed frame w.r.t. s. 

Proof. Since there are no destructor symbols in p all terms are in normal form. Since any 
encryption in a is probabilistic it will be a fortiori the case for agent encryptions. 

Consider an occurrence q s of s in ya with y G dom(cr). From Lemma 12.51 we have 
that there is at least an encryption plaintext-above s in ya. Consider the lowest one. 
Then condition [1] of well-formed frames says that this encryption is an agent encryption. 
Conditions [2] and [3] impose that the only function symbols in between may be (} and sign. □ 

The following lemma states that if in two distinct terms the secret is protected by agent 
probabilistic encryptions then by replacing the secret with any term we cannot obtain two 
syntactically equal terms. 

Lemma 2.7. Let n be a set of names and s be a name, s G n. Let M be a ground public 
term w. r. t. n and U, V be two terms such that for any occurrence q s of s (in U or V) 
there is an encryption q enc (in U or V respectively) with q er >c • 1 < such that q en c is an 
agent encryption w.r.t. n\{s} and q enc is a probabilistic encryption w.r.t. {U,V}. Then 
U[ M / S ] = V[ M / S ] implies U = V. 
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Proof. Suppose that U[ M / S ] = V[ M / S ] and U + V. Then there is an occurrence q s of s, say 
in U , such that V\ qs ^ s. Consider an agent probabilistic encryption q enc with q enc ■ 1 < q s 
as in the lemma. We have C/|g enc -3 G ^\{s}. It follows that V^[ A/ / S ] | 9enc .3 G ^\{s}. Since M is 
public this implies that <7enc'3 is a position in V. And since q eric is a probabilistic encryption 
and U\ qenc . 3 = V\ qenc .3 it follows that t7|q enc = V\ Qe „ c . Hence U\ Qs = V\ qs which represents a 
contradiction with V\ qs 7^ s. □ 

Corollary 2.8. Let ip = vn.a be an extended well-formed frame w.r.t. s G n such that 
ip Y- s. Let U, V and M be public terms w.r.t. ip, with V(U),V(V) C dom(cr) an d M 
ground. Let W, W be subterms of terms in ran(u) such that for every occurrence q s of s 
in W (or W' ) there is an occurrence of an encryption q enc in W (or W' respectively) with 
Qenc < Qs- Then 



Proof. We prove below that in Ua and in W for each occurrence q s of s there is an encryption 
q' enc (in ya for some y € V(U), and in W respectively) with q' eric ■ 1 < q s such that q' eric is 
an agent encryption w.r.t. n\{s}. Then, by analogy, the same thing holds for Va and W. 
Since by condition (2) of extended well-formed frames an agent encryption w.r.t. n is a 
probabilistic encryption, it follows that each pair (Ua, Va), (Ua, W) and (W, W) satisfies 
the conditions of Lemma 12.71 Then the result follows directly. 

Consider an occurrence q s of s in Ua. Since U is public, there is a variable y G V(U) C 
dom(<r) and an occurrence p y of it in U such that p y < q s . From the definition of extended 
well-formed frames we know that there is an encryption q' enc in ya with q' enc ■ 1 < q s which 
is an agent encryption w.r.t. n\{s}. Hence q' enc satisfies the conditions of Lemma 12.71 

In W for each occurrence q s of s there is an occurrence q enc of an encryption above 
q s . Then we can consider the lowest occurrence q' enc of an encryption above q s in W. By 
the definition of extended well-formed frames, the lowest encryption above q s is an agent 
encryption and is plain-text above q s . Hence q' eric satisfies the conditions of Lemma 12.71 Q 

Lemma 12.31 can now be easily deduced since it is the analogous statement of Point [1] 
of Corollary 12.81 for well-formed frames (which are extended well-formed frames as we have 
seen in Lemma l2.6f) . 

The following lemma is the generalization of Lemma 12.41 for extended well-formed 
frames. 

Lemma 2.9. Let ip = vn.a be an extended well-formed frame w.r.t. s G n such that ipY- s. 
Let U be a term with V(U) C dom(c/?) and M be a closed term in normal form such that U 
and M are public w.r.t. ip. IfUa[ M / s ] — > V, for some term V , then there exists an extended 
well-formed frame ip' = vn.a' w.r.t. s 

• extending ip, that is xa' = xa for all x G dom(cr), 

• preserving deducible terms: p\- W if and only if ip' h W , 

• and such that V = V'a'[ M / s ] and Ua — > Va' for some V' public w.r.t. ip' . 

We give here only a proof sketch, the detailed proof can be found in Appendix lAl 

Proof sketch. Let U, V, M be terms with U and M public w.r.t. ip, M being closed and in 
normal form such that Ua[ M / s ] — > V, as in the statement of the lemma. Let L — > R G TZe 



(1) Ua[ M / s ] 

(2) Ua[ M / s ] 

(3) W[ M / S ] 



- Va[ M / s ] implies Ua = Va; 
■ W[ M /s] implies Ua = W; 
W'[ M / S ] implies W = W. 
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be the rule that was applied in the above reduction and let p be the position at which it 
was applied, i.e. Ua[ M / s ]\ p = L0. Since M is in normal form, p £ Pos(C/a). 

By a case analysis of the rewrite rules in TZe one can prove that there is a substitution 
#o such that Ua\ p = L8q. It follows that Ua is reducible. Since all terms in an extended- 
well formed frame, thus in (p, are in normal form, we have that p € Pos nv (i7). Then, for 
T = U\ p , Ta[ M / s ] = L6 and Ta = L6 . 

For our equational theory E, R is either a constant {i.e. ok) or a variable. If R is a 
constant then we take V = U[R] P and a' = a. If R is a variable, say zq, then consider the 
position q of zq in L. This position q is also in L6q, that is in Ta. Hence the two following 
possibilities may occur: 

(1) If q G Pos nv (T), that is there is no y G dom(cr) above zq, then we consider V' = 
U[T\ q ] p and a' = a. 

(2) If q ^ Pos nv (T), that is there is some y G dom(o") above zq, then we consider 
V = U[y'] p and a' = a U {R9o/y'}, where y' is a new variable (i.e. y' ^ dom(cr)). 

A simple analysis of these three cases shows that a' and V satisfy that the conditions of 
the lemma. □ 

3. Active case 

In the active case, we provide sufficient conditions for syntactic and strong secrecy 
to be also equivalent. In particular, we require that no test is performed directly on the 
secret. We establish our equivalence result in the applied pi calculus framework, introduced 
by Martin Abadi and Cedric Fournet. We do not make any restriction on the use of the 
replication symbol, which means that protocols with an unbounded number of sessions as 
well as protocols with a bounded number of sessions can be considered. 

3.1. Modeling protocols within the applied pi calculus. The applied pi calculus [1] 
is a process algebra well-suited for modeling cryptographic protocols, generalizing the spi- 
calculus [2]. We shortly describe its syntax and semantics. This part is mostly borrowed 
from pp. 

Processes, also called plain processes, are defined by the grammar: 



P, Q := processes 

null process vn.P name restriction 

P | Q parallel composition u(z).P message input 

IP replication u(M).P message output 

if T = T' then P else Q conditional 



where n is a name, M, T, T' are terms, and u is a name or a variable. The null process 
does nothing. Parallel composition executes the two processes concurrently. Replication 
\P creates unboundedly many instances of P. Name restriction vn.P builds a new, private 
name n, called channel name, binds it in P and then executes P. The conditional if T = 
T' then P else Q behaves like P or Q depending on the result of the test T = T'. If Q is 
the null process then we use the notation [T = T'].P instead. Finally, the process u(z).P 
inputs a message and executes P binding the variable z to the received message, while the 
process u{M).P outputs the message M and then behaves like P. We may omit P if it is 0. 
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In what follows, we restrict our attention to the case where u is a name since it is usually 
sufficient to model cryptographic protocols!! 

Extended processes are defined by the grammar: 

A, B := extended processes 

P plain process vn.A name restriction 

A | B parallel composition vx.A variable restriction 

{ M /x} active substitution 

Active substitutions are just cycle-free substitutions. They generalise the let binding, in 
the sense that vx.({ M / x }\P) corresponds to let x = M in P standard construction, while 
unrestricted, { M / x } behaves like a permanent knowledge, permitting to refer globally to 
M by means of x. Substitutions { Ml / Xl M '/ Xl } with I > are identified with extended 
processes {^Vzill • ■ • \{ Ml /xi}- In particular, the empty substitution is identified with the 
null process. 

We denote by fv(^4), bv(A), fn(^4), and bn(A) the sets of free and bound variables and 
free and bound names of A, respectively, defined inductively as usual and using fv({ M / x }) = 
fv(M) U {x} and in({ M / x }) = fn(M) for active substitutions. An extended process is closed 
if it has no free variables except those in the domain of active substitutions. 

Extended processes built up from the null process and active substitutions (using the 
given constructions, that is, parallel composition, restriction and active substitutions) are 
called /rameiH. To every extended process A we associate the frame (p(A) obtained by 
replacing all embedded plain processes with 0. For example, if A = uy, k, r.{ en < rn ^/ x , a / y } \ 
c(y) then <p(A) = vy, k, r.{ enc ( m ' fc ' r Vz, %}• Note that <p(A) = vk,r.{ m < m ' k ^/ x }. 

An evaluation context is an extended process with a hole not under a replication, a 
conditional, an input or an output. 

Structural equivalence (=) is the smallest equivalence relation on extended processes 
that is closed by a-conversion of names and variables, by application of evaluation con- 
texts and such that the standard structural rules for the null process, parallel composition 
and restriction (such as associativity and commutativity of |, commutativity and binding- 
operator-like behaviour of v) together with the following ones hold. 

VX.{ M / X ] = ALIAS 

{ M / X }\A = { M / X }\A{ M / X } SUBST 

{ M / x } = { N / x } if M = E N REWRITE 

If n represents the (possibly empty) set {m, . . . , n^}, we abbreviate by vn the se- 
quence vn\.vn<i . . . vn^. Every closed extended process A can be brought to the form 
vn.{ Ml / Xl }\ ... \{ M '/ Xl }\P by using structural equivalence, where P is a plain closed pro- 
cess, I > and n C Ujfn(Mj). Hence the two definitions of frames are equivalent up to 
structural equivalence on closed extended processes. To see this we apply rule SUBST until 
all terms are ground (this is assured by the fact that the considered extended processes 
are closed and the active substitutions are cycle-free). Also, another consequence is that if 
A = B then tp(A) = <p(B). 



2 Note that we do not change the calculus. In particular, there is no restriction on the use of channels for 
adversaries/observers that are used in the definition of observational equivalence. 

^ We see later in this section why we use the same name as for the notion defined in Section [2] 
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Two semantics can be considered for this calculus, defined by structural equivalence 
and by internal reduction and labeled reduction, respectively. These semantics lead to 
observational equivalence (which is standard and not recalled here) and labeled bisimilarity 
relations. The two bisimilarity relations are equal pQ. We use here the latter since it relies 
on static equivalence and it allows to take implicitly into account the adversary, hence 
having the advantage of not using quantification over contexts. 

Internal reduction is the smallest relation on extended processes which is closed by 
structural equivalence and application of evaluation contexts, and such that: 

c(x).P | c(x).Q — > P | Q COMM 

if T = T' then P else Q -> P then 
for any ground terms T and T' such that T =e T 1 

if T = T' then P else Q -> Q else 
for any ground terms T and T' such that T T' 

On the other hand, labeled reduction is defined by the following rules: 

C (x).P P{ M / X } IN c{u).P^ip OUT-ATOM 

c(u) ! 

_' U^C OPEN-ATOM A Z=j A ' u does not SCOPE 

vu.A ^% A' vu.A vu.A' occur in Q 

A -^-> A' w A = B B^B' B' = A' 

{ > PAR ; STRUCT 



A \B A'\B A^A> 

where c is a name and it is a metavariable that ranges over names and variables, and the 
condition (*) of the rule par is bv(a) fl iv(B) = bn(a) n fn(B) = 0. 

Definition 3. Labeled bisimilarity (~;) is the largest symmetric relation 1Z on closed ex- 
tended processes such that A1ZB implies: 

(1) tp(A) « <p(B); 

(2) if A A' then B ^* B' and A' KB', for some B'; 

(3) if A ^ A' and fv(a) C dom(<^(A)) and bn(a) n in(B) = then B ^*^^* B' and 
A' TIB', for some B' . 

We denote A => B if A -> B or A A B. 

Definition 4. A frame ip is valid w.r.t. a process P if there is A such that P =^»* A and 

Definition 5. Let P be a closed plain process without variables as channels and s a bound 
name of P, but not a channel name. We say that s is syntactically secret in P if, for every 
valid frame ip w.r.t. P, s is not deducible from ip. We say that s is strongly secret if for 
any closed terms M, M' such that bn(P) n (fn(M) U fn(M')) = 0, P[ M / S ] ~* P[ M '/ S ], where 
P[ M / S ] represents the instantiation of the name s with M in P except (of course) in the 
name restriction constructions. 

Let M. (P) be the set of outputs of P, that is the set of terms m such that c(m) is 
a message output construct for some channel name c in P, and let Ait(P) be the set of 
operands of tests of P, where a test is a couple T = T' occurring in a conditional and 
its operands are T and T'. Let M(P) = Ai (P) U Mt(P) be the set of messages of P. 
Examples are provided at the end of this section. 
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The following lemma intuitively states that any message contained in a valid frame is 
an output instantiated by messages deduced from previous sent messages. 

Lemma 3.1. Let P be a closed plain process, and A be a closed extended process such that 
P =>* A. There are I > 0, an extended process B = vn.o\\PB, where Pb is some plain 
process, and 6 a substitution public w.r.t. n such that: A = B, n C bn(P), for every 
operand of a test or an output M of Pb there is a message Mq in P (an operand of a test 
or an output respectively), such that M = Mq9ui, and, o~i = o~i-\ U { Mi6iUi ~ 1 /y i } is a ground 
substitution, for all 1 < i < I, where Mi is an output in P, 0i is a substitution public w.r.t. 
n and o~q is the empty substitution. 

The proof is done by induction on the number of reductions in P =4>* A. A detailed 
proof can be found in Appendix [Bj Intuitively, B is obtained by applying the subst rule 
(from left to right) as much as possible until there are no variables left in the plain process. 
Note that B is unique up to the structural rules different from alias, subst and rewrite. 
We say that <p(B) is the standard frame w.r.t. A. 

As a running example we consider the Yahalom protocol: 

A B : A, N a 

B^S: B,{A,N a ,N b } Kbs 

S^A: {B,K ab ,N a ,N b } Kas ,{A,K ab } Kbs 

A^B: {A,K ab } Kbs 

In this protocol, two participants A and B wish to establish a shared key K ab . The key 
is created by a trusted server S which shares the secret keys K as and K bs with A and B 
respectively. The protocol is modeled by the following process: 

Py = vk as ,k bs . (}.P A ) | (\P B ) | {\vk.P s {k)) I vk ab .P s {k ab ) 

with 

P A = vn a .c(a,n a ).c(z a ).[b = U b }.[n a = U na ].c(ir 2 (z a )).0 

Pb = c(z b )Mn b ,r b .c(b,er\c((ir 1 (z b ), {ir 2 (z b ),n b )),k bs ,r b )).c(z' b ).[a = 7Ti(dec(4, k bs ))].0 
Ps(x) = c(z s ).[a = V a ].[b = wi(z s )].i>r s ,r' s . 

c((enc((7Ti(> s ), (x,V n )),k as ,r s ),enc((V a ,x),k bs ,r' s )}).0 

where U b = 7ri(dec(7ri(z a ), k as )) U na = 7ri(7r2(vr 2 (dec(7ri(2; a ), k as )))) 

V a = 7ri (dec (7^(2^), k bs )) V n = 7r 2 (dec(7r 2 (z s ), k bs )). 

Note that for simplicity and concision, we only consider two honest agents. However, 
we could extend the process to the case where A and B are also willing to interact with a 
corrupted identity C and establish a similar result. 

For this protocol the set of outputs and operands of tests are respectively: 

M {P Y ) = {(a,n a ),Tr 2 (z a ),(b,enc((TT 1 (z b ),{TT2(z b ),n b )),k bs ,r b )), 

(enc((7Ti(z s ), {x, V n )), k as ,r s ),enc({V a ,x), k bs ,r' s )}} and 
MtiPy) = {b,U b ,n a ,U na ,a,Tr 1 (dec(z b ,k bs )),V a ,b,Tr 1 (z s )}. 
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3.2. Our hypotheses. In what follows, we assume s to be the desired secret. As in the 
passive case, destructors above the secret must be forbidden. We also restrict ourself to 
processes with ground terms in key position. Indeed, consider the process 

Pi = us, k, r, r'.(c(enc(s, k, r)) \ c(z).c(enc(a, dec(z, k),r'))) . 

The name s in P\ is syntactically secret but not strongly secret. Indeed, 

Pi = us,k,r,r' .(uz.({ enc{ ~ s > k ^/ z } \c(z) \ c(z).c(enc(a, dec(z, k), r')))) 
— » us, k, r, r'. ({ enc ( s > fe > r )/ 2 } | c(enc(a, s, r'))) (comm rule) 

= us,k,r,r'.(uz'.({ enc ( s ' k ' r y z , en < a ' s ' r ">/ z/ } \c(z'))) 

uz ' rc{z '\ p/ = vs ^ r y^c{ s ,k,r)i^c{a, s y)i^ 

and P[ does not preserve the strong secrecy of s (see the frame i^ 2 of Section I2.4j) . 

Without loss of generality with respect to cryptographic protocols, we assume that 
terms occurring in processes are in normal form and that no destructor appears above 
constructors. Indeed, terms like 7Ti(enc g (M, K, R)) are usually not used to specify protocols. 
We also assume that tests do not contain constructors. Indeed a test [(Ti,T 2 ) = T'\ can 
be rewritten as [Tt = T[].[T 2 = 1$\ if T = (T{,T^), and [3\ = ■k 1 {T')].[T 2 = vr 2 (T')] if T 
does not contain constructors, and will never hold otherwise. Similar rewriting applies for 
encryption, except for the test [enc g (Ti, T 2 , T3) = T'\ if T' does not contain constructors. 
It can be rewritten in [dec g (T', T2) = Ti] but this is not equivalent. However since the 
randomness of encryption is not known to the agents, explicit tests on the randomness 
should not occur in general. 

This leads us to consider the following class of processes. 

Definition 6. A process P is well-formed w.r.t. a name s if it is closed, channels are names 
different from s and: 

(1) the symbol retrieve does not occur in A4(P), the symbol check does not occur in 
A4(P) except in head of a test, that is, the check symbol can only appear in tests 
of the form [check(M, N, K) = ok] where check does not appear in M, N, K; 

(2) any encryption in some term of A4(P) is a probabilistic agent encryption w.r.t. A4(P) 
and bn(P)\{s} respectively; 

(3) for any subterm term enc g (M, K, R), dec g (M, K) or sign(M, K) occurring in M(P), 
K is a closed term; 

(4) in A4(P) there are no destructors, nor pub or priv function symbols above construc- 
tors, nor above s; 

(5) for any test, 

• either each operand of a test T £ A4t is a name, a constant or has the form 
7r 1 (deci(. . . tt 1 (deci(ir l+1 (z) , Ki)) . . . , Ki)), with / > 0, where deQ G {dec, deca}, 
7T* are words on {7ri,7r2} and z is a variable, 

• or the test is [check (M, N, K) = ok] with K being a closed term and M and N 
is of the previously described form. 

Conditionals should not test on s. For example, consider the following process: 

P2 = us, k, r.(c(enc(s, k, r)) | c(z).[dec(,z, k) = a].c(ok)) 

where a is a non restricted name. The name s in P 2 is syntactically secret but not strongly 
secret. Indeed, P 2 — > us, k, r.({ enc ( s ' fc ' r ')/ 2 } | [s = a].c(ok}) and the process P 2 [ l /s\ reduces 
further, while P 2 [ b / S ] does not. 
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That is why we have to prevent hidden tests on s. Such tests may occur nested in 
equality tests. For example, let 

P 3 = us,k, r, 7T,r 2 .(c(enc(s, fc,r)) | c(enc(enc(a, k' , r 2 ), k, r±)) 

| c(z).[dec(dec(z, k), k') = a].c(ok}) — > 
P3 = z/s, k, r, n, r 2 .({ enc ( s ' fc ' r )/ z } | c(enc(enc(a, fc', r 2 ), fc, n)) | [dec(s,/c') = a].c(ok)) 

Then p 3 [enc(a,fc',r')/ s ] is not equ i va lent to P 3 [7s], since the process p^<^>,r>)^ emitg the 
message ok while P^[ n / S ] does not. This relies on the fact that the decryption dec(z, k) 
allows access to s in the test. 

For the remaining of the section we assume that x and zo are new fixed variables. To 
prevent hidden tests on the secret, we compute an over-approximation of the ciphertexts 
that may contain the secret, by marking with x all positions under which the secret may 
appear in clear. 

We first introduce a function f ep that extracts the lowest encryption over s and "cleans 
up" the pairing function above s. Formally, we define the partial function 

/ ep :TxN; txn; 

fep{U,p) = (V, q) where V and q are defined as follows: q < p is the position (if it exists) of 
the lowest encryption on the path p in U. If q does not exist or if p is not a maximal position 
in U, then f ep (U,p) =_L. Otherwise, V is obtained from U\ q by replacing all arguments of 
pairs that are not on the path p with new variables. More precisely, let V = U\ q . The 
subterm V' must be of the form enc g (Mi, M 2 , M3) and q = i-q'. If i ^ 1, then f ep (U,p) =_L. 
Otherwise, V is defined by V = enc g (M{, M 2 , M3) with M[ = prune(Mi, </) where prune is 
recursively defined by: 

prune(iV,e) = N 

prune((A^i,7V 2 ), 1 • r) = (prune(JVi, r), x 2 . r ) 
prune((N 1 ,N 2 ),2 ■ r) =(x hr , prune(iV 2 , r)) 
prune(sign(M, K), 1 • r) = sign(prune(M), x 2 . r ) 
prune(/(7Vi, . . . , N k ),r) = f(Ni, ...,N k ) if / is a destructor 

and is undefined in all other cases. For example, 

fep( enc ) 1 ' 1 ' 2) = ( enc > 1) 



enc ki n (,) k 2 r 2 

(,/ «2 r 2 Zi. 2 C 

/ \ 

a 

The function / e is the composition of the first projection with f ep . With the function 
f e , we can extract from the outputs of a protocol P the set of ciphertexts where s appears 
explicitly below the encryption. 

Sq{P) = {f e (M[x] p ,p) I M G M (P) A M\ p = s}. 

For example, £o(Py) = {er\c({z 1 . 1 ,{x,z 2 )),k as ,r s ),er\c((z 1 ,x),k bs ,r' s )}, where Py is the pro- 
cess corresponding to the Yahalom protocol defined in previous section. 



16 



V. CORTIER, M. RUSINOWITCH, AND E. ZALINESCU 



However s may appear in other ciphertexts sent later on during the execution of the pro- 
tocol after decryptions and encryptions. Thus we also extract from outputs the destructor 
parts (which may open encryptions). Namely, we define the partial function 

f dp -. txn;^txn; 

fdp(U,p) = (V,q) where V and q are defined as follows: q < p is the occurrence of the 
highest destructor different from check above p (if it exists). Let r < p be the occurrence 
of the lowest decryption above p (if it exists). We have U\ r = dec g (C/ 1) J7 2 ). Then U\ is 
replaced by the variable zo that is V = (J7[dec g (zQ, f/ 2 )] r )| 9 . If q or r do not exist then 
f dp (U,p)=±. 

For example, / d p(enc(7r 1 (dec(7r 2 (y) ) fa)), fa,r 2 ), 1 • 1 • 1 • 1) = (7r 1 (dec(z Q , fci)), 1). 

The function f d is the composition of the first projection with f dp . By applying the 
function f d to messages of a well-formed process P we always obtain either terms D of the 
forrrfl D = D\(. . . D n ) where Di(zo) = 7r*(dec g (zo, Ki)) with 1 < i < n, Ki are ground 
terms and ir l is a (possibly empty) sequence of projections ^j 1 (^j 2 (- ■ ■ (^ji) •••))> or terms 
check(M, D, K) where D is of the previously defined form. 

With the function f d , we can extract from the outputs of a protocol P the meaningful 
destructor part. 

T>o{P) = {fd(M,p) | M G M (P) ApG Pos v (M)}. 

Remember that Pos v (M) is the set of variable positions. 
For example, V (P Y ) = {7r 2 (dec(z , k bs )), 7Ti(dec(z , k bs ))}. 

We are now ready to mark (with x) all the positions where the secret might be trans- 
mitted (thus tested). We define inductively the sets £i(P) as follows. For each element E 
of £i we can show that there is an unique term in normal form denoted by E such that 
V(E) = {zq} and E{E)[ = x. That is, intuitively, E opens E until x. For example, let 
Ei = enc((zi,(x,z 2 )),k as ,r s ), then E 1 = 7n(7r 2 (dec(z , k as ))). We define 

£~(P) = {U \3E e£i{P),U < st E and3qePos(U),h uu = dec g }, 
£ i+l {P) = {M'[x] q \3M e M (P) lP ePos v (M) s.t. f ep (M,p) = (M',p'), 

f dp (M',p") = (D, q),p = p' ■ p", D = D 1 (... D n ), and D x G S^P)}. 

For example, 

£o(Py) = {vri(7r 2 (dec(z , k as ))), 7r 2 (dec(z , k as )), dec(z , k as ), 7r 2 (dec(z , k bs )), dec(z , k bs )} 
£l(Py) = {enc((zi. 2 , (zi,x)),k as ,r s )} 

£i(Py) = {vr 2 (7r 2 (dec(z , k as ))), 7r 2 (dec(z , k as )), dec(z , k as )} 
and £i{Py) = for i > 2. 

Note that £(P) = L)i>o£i(P) is finite up-to renaming of the variables since for every 
i > 1, every term M G £%(P), Pos(M) is included in the (finite) set of positions occurring 
in terms of A4q. 

We can now define an over-approximation of the set of tests that may be applied over 
the secret. 

M 8 t (P) = {T G M t (P) | T = s or Bp G Pos v (T) s.t. Z?i(. . . D n ) = f d (T,p) 

3E G £{P), 3i s.t. Di = 7r i (dec g (z , K)), E = enc g (C7, K, R) and x G A(-B)i) 

For example, M*(Py) = {7Ti(7r 2 (7r 2 (dec(7Ti(z a ), k as ))))}. 



"in this context we simply write D(T) instead of -D[ T /z ] 
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Definition 7. We say that a well-formed process P w.r.t. s does not test over s if the 
following conditions are satisfied: 

(1) for all E G £(P), for all D = D x {...D n ) G V (P), if A = 7r i (deCg(z ), K) and 
E = enc g (C7, K, R) and x G fn(A(P)l) then i = 1 and E ^ st D u 

(2) if [T = T'], [V = T], [check(T,T',K) = ok] or [check (J", T, K) = ok] is a test of P 
and T G A^f (P) then T' is a restricted name different from s. 

For example, Py does not test over s. Note that £ (P) can be computed in polynomial 
time from P and that whether P does not test over s is decidable. We show in the next sec- 
tion that the first condition is sufficient to ensure that frames obtained from P are extended 
well- formed. It ensures in particular that there are no destructors right above s. If some 
Di cancels some encryption in some E and x G fn(Dj(P)J,) then all its destructors should 
reduce in the normal form computation (otherwise some destructors (namely projections 
from Di) remain above x). Also we have i = 1 since otherwise a Di may have consumed 
the lowest encryption above x, thus the other decryption may block, and again there would 
be destructors left above x. 

The second condition requires that whenever an operand of a test [T = T'\ is potentially 
dangerous (that is T or T' is in A4f (P)) then the other operand should be a restricted name. 

Example 5. A simple class of protocols that do not test on the secret is the one where 
in all messages sent by the protocol, the secret occurs only in the second component of 
pairs, and the tests apply only on the first component of pairs. For example, if for a 
protocol P3 we have M (P3) = {enc((n a , s), k, r), enc((n a , 7r2(dec(z, k)), k', r'))} and the 
test is [7Ti(dec(z', k')) = iri(dec(z" , k))] then there will be no test on s. Moreover, this 
protocol also satisfies the first condition and hence we obtain that s is strongly secret using 
the main result of this section. 

We also give examples of protocols not satisfying the two conditions of Definition [7J 
Consider first a protocol P\ for which M (Pi) = {enc(7Ti(dec(z, k)), k, r'), enc(s, k, r)}. P\ 
does not satisfy the first condition of the previous definition because the term enc(7Ti(s), k, r) 
(with a destructor right above s) could be obtained by sending the first message to the agent 
which constructs the second message. 

A second example of protocol not satisfying the conditions (this time the second one) is 
inspired from the Otway-Rees protocol. Consider a protocol P2 where the server waits for 
A, {N a , A}K as , performs a test on A and then sends {N a , K a i,}K a3 - Using a second session, 
the intruder is able to transform the test that the server does on A into a test on the se- 
cret. Formally, M (P 2 ) = {{a,enc((n a ,a),k as ,r)),enc((7r 1 (dec('K2(z),k as )),s)),k as ,r'} and 
M t {P2) = {TTi(z),Tr2(dec{TT2(z),k as ))}. Then 7r 2 (dec(7r 2 (z), k as )) G Mf(P 2 ) but ir^z) is not 
a restricted name. 

3.3. Main result. We are now ready to prove that syntactic secrecy is actually equivalent 
to strong secrecy for protocols that are well-formed and do not test over the secret. 

Theorem 3.2. Let P be well-formed process w.r.t. a bound name s such that P does not 
test over s. We have ip\^ s for any valid frame <p w.r.t. P if and only if P[ M / S ] ss/ P[ M / s ], 
for all ground terms M,M' public w.r.t. bn(P). 

Proof. Consider first the simpler implication, that is strong secrecy implies syntactic secrecy. 
Suppose that there is a valid frame ip w.r.t. P such that <p h s. Then, as for the passive 
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case, there are M and M' public ground terms such that tp[ M / s ] ^ f[ M /s]- Since tp is a 
valid frame there is an extended process A such that P =>* A and <p = <p(A). Then clearly 
P[ M / S ] ^* A[ M / S ] and P[ M '/ S ] ^* A[ M %}. Thus if P[ M / S ] «, P[ M '/ S ] then A[ M / S ] «, A[ A/ '/ s ] 
and moreover ^(t4[ m /s]) « (^(^[ A/ '/ s ]). Since ^(^p/y) = (^(^)[ T / X .] for any term T, we get 
tp[ M / s ] y[ M /s]> contradiction. We deduce P[ M / S ] & P[ M /a] an d thus s is not strongly 
secret in P. 

The remaining of the section is devoted to the converse implication. Let P be well- 
formed process w.r.t. a bound name s with no test over s and assume that s is syntactically 
secret in P. Let M,M' be to public terms w.r.t. bn(P). To prove that P[ M / S ] and P[ M / s ] 
are labeled bisimilar, we need to show that each move of P[ M / S ] can be matched by a move 
in P[ M / s ] such that the corresponding frames are bisimilar (and conversely). By hypothesis, 
P is syntactically secret w.r.t. s thus for any valid frame tp w.r.t. P, we have ip Y s. In 
order to apply our previous result in the passive setting (Theorem I2.2|) , we need to show 
that all the valid frames are well-formed. However, frames may now contain destructors 
in particular if the adversary sends messages that contain destructors. That is why we 
consider extended well-formed frames, defined in Section 12.51 

Theorem 12.21 can easily be generalized to extended well-formed frames. 

Proposition 3.3. Let <p be an extended well-formed frame w.r.t. s, where s is a restricted 
name in cp. Then tp Y s if and only if tp[ M / s ] ~ (p[ M / s ] for all M,M' closed public terms 
w.r.t. ip. 

The proof of Proposition 13.31 is exactly the same as the proof of Theorem 12.21 except 
that it uses Corollary 12.81 and Lemma 12.91 instead of Lemmas 12.31 and 12.41 respectively. 

The first step of the proof of Theorem 13.21 is to show that any frame produced by the 
protocol is an extended well-formed frame. We actually prove directly a stronger result, 
crucial in the proof: the secret s always occurs under an agent encryption and this encryp- 
tion is an instance of a term in S{P). This shows that £ (P) is indeed an approximation of 
the cyphertexts that may contain the secret. 

Lemma 3.4. Let P be a well-formed process with no test over s and tp = vn.a be a 
valid frame w.r.t. P such that tp Y s. Consider the corresponding standard frame vn.a = 
vn.{ Ui / Vi | 1 < i < I}. For every i and every occurrence q s of s in Ui[, we have f e (Ui[, q s ) = 
E[ w / X ] for some E € £ (P) and some term W . In addition un.ail * s an extended well-formed 
frame w.r.t. s. 

The lemma is proved in AppendixO The proof uses an induction on i and relies deeply 
on the construction of £{P). 

The second step of the proof consists in showing that any successful test in the process 
P[ M /s] is also successful in P and thus in P[ M / s ]. 

Lemma 3.5. Let P be a well-formed process with no test over s, tp = vn.a a valid frame 
for P such that tpY s, 9 a public substitution and M a public ground term. If 'T\ = T 2 is a 
test in P, then Ti6»ct[ m /s] =e T 2 6a[ M / s ] implies T x 9a = E T 2 0a. 

This lemma is proved in Appendix O by case analysis, depending on whether Ti,T 2 € 
Mf(P) and whether s occurs or not in fn(Ti#<r) and fn(T2#er). 

Using Lemmas 13.41 and 13.51 we are ready to complete the proof of Theorem [321 showing 
that P[ M /s] and P[ M '/ S ] are labeled bisimilar. 
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We consider the relation 1Z between closed extended processes defined as follows: A1ZB 
if there is an extended process A$ and ground terms M, M' public w.r.t. bn(P) such that 
P ^* A), A = A [ M / s ] and B = A [ M '/ s ]. 

We show that 1Z satisfies the three points of the definition of labeled bisimilarity. Sup- 
pose AKB, that is A [ M / S ]KA [ M '/ S ] for some Aq, M, M' as above. 

(1) Let us show that (p(A [ M / s \) « ip(A [ M '/ s ]). We know that <p(A ) is a valid frame 
w.r.t. P (from the definition of 7Z), hence ^p(Aq) Y- s (from the hypothesis). Let 
<p' = p(Aq) having only ground and normalised terms (take for example tp 1 = <p(A)l, 
where <p(A) is the standard frame w.r.t. A). Then, by Lemma 13.4} we have that ip' 
is an extended well-formed frame. We can then use Proposition 13.31 to obtain that 

^ [ M /sD ^(A)[ M '/s]). 

(2) Let us show that if A [ M / S ] -> A' then A' = A' [ M / S ], A [ M '/ S ] A' [ M '/s] and 
A' [ m / s ]TZAq[ m / s ], for some A' . We distinguish two cases, according to whether 
the transition rule was the comm rule or one of the then and else rules: 

• if the comm rule was used then A [ M / S ] = C[ M / S ] [c(z).Q[ M / s ] \c(z).R[ M / s }] , 
where C is an evaluation context and A' = C[ M / S ] [Q[ M / B ]\R[ M / B ]] . Then A = 
C[c(z).Q\c(z).R]. Take A' = C[Q\R]. We have that P ^* A' Q and thus, by 
definition of K, we have that A' Q [ M / s ]KA' [ M '/ e ]. 

. otherwise, A [ M / S ] = C7[ M / S ][if T'[ A/ / S ] = T"[ M / S ] then Q[ M / S ] else R[ M / a }]. 
Then Aq = (7 [if T' = T" then Q else R]. From Lemma 13.11 we know that 
T = TqOct and T" = TqQct, where Tg = Tq is a test in P and vn.o = <p(Aq) 
is the standard frame w.r.t. A$. Take A' = C[Q] if TqOcj =e Tq^ct and 
A'q = C[R] otherwise. From Lemma 13.51 we have that TqOct =e To fie if and 
only i£r Q e*[ M /,] = E U'0<t[ m / b ]. Hence A [ M / S ] ^ A' Q [ M / S ], A [ M '/ S ] -» A' [ M '/s] 
and Aq -> A' Q . We conclude A' [ M /s] KA' Q [ M '/s] from the definition of K. 

(3) Let us show that if A [ M / S ] A A' and fv(a) C dom(^(^ [ M / s ])) and bn(a) D 
HA [ M '/ S }) = then A' = A' [ M /s], A [ M '/ S ] ^ A' [ M '/s] and A' Q [ M / s ] TZ A' Q [ M '/ s ] , 
for some A' . Depending on the form of a, we consider the following cases: 

. a = c(T). Suppose A [ M / S ] = C[ M / S ] [c(z).Q[ M / s ]\ . Then take A' = C[Q{ T / Z }]. 

• a = c(u). Suppose A [ M / S ] = C[ M / s }[c(u).Q[ M / s }]. Then take A' = C[Q). 

. a = vu.c(u). Suppose A [ M / S ] = C[ M / B \[vu.A x [ M / B ]], where A^ 1 /,} 
A[[ M / S }. Then take A' = C[A X \. 
The above discussion proves that ?l C Since we have P[ M /s]nP[ M '/ s ] it follows 
that P[ M / S ] », P[ M '/ S ]. □ 

4. Application to some cryptographic protocols 

We apply our result to three protocols (Yahalom, Needham-Schroeder with symmetric 
keys and Wide-Mouthed-Frog) , known to preserve the usual syntactic secrecy property. 
Since all these three protocols satisfy our hypotheses, we directly deduce that they preserve 
the strong secrecy property. 
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4.1. Yahalom. We have seen in Section T3.2I that Py is a well-formed process w.r.t. k ab and 
does not test over k ab . Applying Theorem 13.21 if Py preserves the syntactic secrecy of k ab , 
we can deduce that the Yahalom protocol preserves the strong secrecy of k ab that is 

PyfkJ «i Py[ M '/k ab ) 

for any public terms M,M' w.r.t. bn(Py). We did not formally prove that the Yahalom 
protocol preserves the syntactic secrecy of k a b but this was done with several tools in slightly 
different settings (e.g. [T3| [29] ) . 

In what follows, for sake of simplicity, we may omit the symbol (, } for pairing. In that 
case, we assume a right priority that is a,b,c= {(a, b),c). 



4.2. Needham-Schroeder symmetric key protocol. The Needham-Schroeder symmet- 
ric key protocol [28J is described below: 

A^S: A, B, N a 

S^A: {N a ,B, K ab , {K ab , A} Kbs } Kaa 
A^B: {K ab ,A} Kbs 

The target secret is K ab . The protocol is modeled by the following process: 

Pns = vk as .vk bs . (L4) | (lc(z b )) j (\uk.S(k)) \ vk ab .S{k ab ) 

where 

A = v"n a .c(a,b,n a ).c(z a )-[Tri(dec(za,k as )) = n a ]. 

[7ri(7r 2 (dec(2! a ,/c as ))) = 6] .0(7^(^2(^2 (dec (z , k as ))))) 
S(x) = c(z s )Mr,r'.c(enc((TT2{7r2(z s )),TT 1 (7r 2 {z s )),k ab , 
enc((x, tti(z s )), k bs ,r')), k as ,r)) 
Note that other processes should be added to considered corrupted agents or roles A, B and 
S talking to other agents but this would not really change the following sets of messages. 
The output messages are: 



Mo 



a,b, n a 



vr 2 (7r 2 (7r2(dec(z a , k as )))) 
enc( {tt 2 (tt 2 (z s ) ) , 7Ti (tt 2 (z s ) ) , 
k ab) &x\c((k ab ,iri(z s )) ,k bs ,r')) ,k as ,r) 



The tests are: 



7ri(dec(z a ,A; as )) = n a 
7Ti(7r 2 (dec(2; a , k as ))) = b 

We define max£j = {e | e € Si} in order to increase readability, and since it is easy to 
deduce £j from maxf,. 



V = {Tr 2 (7r 2 (7r 2 (dec(z, k as ))))} 
£0 = {enc((zi, {z 2 , (x, z 3 })), k as , r), enc((x, z 4 ), k bs , r')} 
maxfo = {Tri(TT 2 (TT 2 (dec(z,k as )))),TTi(dec(z,k bs ))} 
V n £ = 
M k t ab = 

We deduce that Pns is a well-formed process w.r.t. k a b, that does not test over k ab . 
Applying Theorem 13.21 and since the Needham-Schroeder symmetric key protocol is known 
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to preserve syntactic secrecy of k a b , we deduce that the protocol preserves strong secrecy of 
k a b that is 

Pns[ /k ab ] ~i Pns[ M /k ab ] 
for any public terms M,M' w.r.t. bn(i-Vs). 

4.3. Wide Mouthed Frog Protocol (modified). We consider a modified version of the 
Wide Mouthed Frog Protocol [15], where timestamps are replaced by nonces. 

A^B: N a 

B^S: {N a ,A,K ab } Kbs 

S^A: {N a ,B,K ab } Kas 

The target secret is K ab . The protocol is modeled by the following process: 

Pwmf = vk as .vk bs . (\A) | (IS) | (\vk.B{k)) \ vk ab .B(k ab ) 

where 

A = un a .c(n a }.c(za).[TTi(dec(z a ,k as )) = n a ] 
B(x) = c(z b ).vr.c(enc((z b ,a,x),k bs ,r)) 
S = c(z s ).[TT 1 (7r 2 (dec(z s ,k bs ))) = a]. 

i/r' .c(enc((TTi(dec(z s , k bs )),b,TT 2 (TT2(dec(z s , k bs )))),k as ,r')) 

Note that other processes should be added to considered corrupted agents or roles A, B 
and S talking to other agents but again, this would not really change the following sets of 
messages. 

The output messages are: 

n a 

M J ^({zb,a,k ab ),k bs ,r) 
° j enc((vri(dec(z s ,A; fes )),6, 

vr 2 (7r 2 (dec(z s , k bs )))), k as ,r') 

The tests are: 

f Tri(dec(z a ,k as )) = n a j 
\ TTi(ir 2 (dec(z s ,k bs ))) = a J 

V Q = {Tr 1 (dec(z,k bs )),7r 2 (TT 2 {dec(z,k bs )))} 
So = {enc((zi, (z 2 ,x), k bs ,r))} 
max£ = {TT 2 (ir 2 (dec(z,k bs )))} 
£i = {enc((zi, (z 2l x),k as ,r))} 
maxf! = {TT 2 (TT 2 (dec(z, k as )))} 
V Q n £ i = 
M k t ab = 

We obtain similarly that Pwmf is a well-formed process w.r.t. k ab , that does not test 
over k ab . Applying Theorem 13.21 and since the Wide Mouthed Frog protocol is known to 
preserve syntactic secrecy of k ab , we deduce that the protocol preserves strong secrecy of 
k ab that is 

P\VMF[ M /k ab ] ~l PWMF[ M /k ab ] 
for any public terms M,M' w.r.t. bn(P^MF)- 
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5. Conclusion 

In recent years many automatic tools have been developed for verifying security pro- 
tocols. The overwhelming majority of them address reachability-based properties such as 
syntactic secrecy. On the other hand some important security notions such as strong secrecy 
rely on provable equivalences between systems. Typically the impossibility of guessing a 
vote or a password is commonly expressed that way. Hence in order to widen the scope of the 
current protocol analysis tools, in the present paper we have shown how syntactic secrecy 
actually implies strong secrecy in both passive and active setting under some conditions, 
motivated by counterexamples. In particular such a result cannot hold for deterministic 
encryption and we had to assume that it is probabilistic. 

As future works, we plan to further investigate the active case by trying to relax our 
conditions. There are several possible directions. First, we may consider specific classes of 
protocols by restricting the syntax (for instance considering protocols without pairs such as 
in [3l [25]) to see whether it is possible to refine our results in this setting. Second, we may 
relax the requirement that processes cannot test over the secret by requiring instead that 
the two branches of the test are indistinguishable. This is the case for example when a test 
is followed in each branch by other tests that will never succeed when the first one is really 
applied to a secret data. This would require to consider more complex over-approximations 
of the set of sent messages. In particular, in the definition of the set £, we would have to 
consider trees instead of simply paths potentially leading to the secret. 
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Appendix A. Proof of Lemma 12.91 

Lemma A.l. Let ip = vn.a be an extended well-formed frame w.r.t. s G n such that ipY- s. 
Let U be a term with V(U) C dom(<^) and M be a closed term in normal form such that U 
and M are public w.r.t. ip. IfUa[ M / s ] —> V, for some term V, then there exists an extended 
well-formed frame ip' = vn.a' w.r.t. s 

• extending ip, that is xa' = xa for all x G dom(cr), 

• preserving deducible terms: ip\- W if and only if ip' h W , 

• and such that V = V'a'[ M / s ] and Ua — > V'a' for some V public w.r.t. ip' . 

Proof. Let U, V, M be terms with U and M public w.r.t. ip, M being closed and in normal 
form such that Ua[ M / s ] — > V, as in the statement of the lemma. Let L — > R G TZe be 
the rule that was applied in the above reduction and let p be the position at which it was 
applied, i.e. Ua[ / s ]\ p = L9. Since M is in normal form, p G Pos(Ua). 

Assume that there is a substitution 9q such that Ua\ p = L9q. This will be proved in the 
Claim below. It follows that Ua is reducible. If p G" Pos nv (C/) then there is a term of ran(er) 
which is reducible. This contradicts the fact that ip is an extended-well formed frame (since 
all terms in such a frame should be in normal form). Hence we have that p G Pos nv ([/). 
Let T = U\ p . We have Ta[ M / s ] = L6 and Ta = L6 . 

For our equational theory E, R is either a constant {i.e. ok) or a variable. If R is a 
constant then we take V' = U[R] P and a' = a. It is easy to verify that the conditions of 
the lemma are satisfied in this case. 

Suppose now that R is a variable zq. Then, consider position q of zq in L. This 
position q is also in L8q, that is in Ta. Hence the two following possibilities may occur: 

(1) If q G Pos nv (T), that is there is no y G dom(<r) above zq, then we consider V = 
U[T\ q ] p and a' = a. In this case also, it is easy to verify that the conditions of the 
lemma are satisfied. 

(2) If q ^ Pos nv (T), that is there is some y G dom(o") above zq, then we consider 
V = U[y'] p and a' = a U {R9o/y'}, where y' is a new variable (i.e. y' ^ dom(<j)). 
The term V' is clearly public w.r.t. p' . Since Ta =e ROo, ip \~ ROq. This shows 
that ip h W if and only if ip' h W for any term W. 

We have V'a' = (U[y'} p )a' = Ua'[y'a'] p = Ua[R9 } p . Hence Ua -» V'a'. 

From Ta = L6 and Ta[ M / s ] = L9 we deduce that z8 [ M / s ] = z9 for all z G V(L), 

hence R9 [ M / S ] = R8. Thus V'a'[ M / s ] = {Ua[ M / s ])[R6] p = V. 

Since there is some y G dom(<^) above zo, R9q = zq9 is a subterm of a term of a. 
Then R9q is in normal form since all the terms in ran(cr) are in normal form. Also 
all agent encryptions in ip' are probabilistic. Suppose that there is an occurrence of 
s in R9q such that there is no encryption plaintext-above it (in R9q). In this case 
we have that all the function symbols above this occurrence in R9q are () or sign. 
Thus s is deducible from ip' and hence from ip, which represents a contradiction 
with the hypothesis. Hence there is an encryption plaintext-above any occurrence 
of s in R9q. All this proves that ip' is also an extended well- formed frame. 
Claim: Let us now prove that there exists #o such that Ua\ p = L9q. Assume by contradic- 
tion that it is not the case. Then at least one of the following cases occurs: 
(1) there is a position in L which is not a position in Ua\ p ; 



'For our equational theory there is exactly one occurrence of zo in L. 
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(2) there is a variable z in L having at least two occurrences, say at positions pi,p 2 , for 

which (Ua\ p )\ Pl ^ (Ua\ p )\ P2 . 
Let us examine in detail the two cases: 

(1) Consider a minimal position q' (w.r.t. the prefix order) in L which is not a position 
in Ucr\ p . Then q' = q ■ 1 with q position of Ua\ p and there is an s at position q in 
Ua\ p (since such minimal positions in L must be positions in C/<t[ m / s ]| p , but not in 
Ua\ p ). Also q ^ e (i.e. it does not correspond to the head of L) since otherwise 
M would not be in normal form. By examining all rules in TZe, we observe that at 
least one of the conditions in the definition of extended well-formed frames is not 
satisfied. For example, if L — > R is the rule tti((z\, Z2)) — ► z\ then q = 1. Then 
either ni(y) is the subterm at position p in U and ya = s (impossible case since 
s would be deducible), either vri(s) is the subterm at position p 'va.Ua and this 
subterm is also a subterm of a term of a (again an impossible case because there are 
no destructors right above s in term of an extended well- formed frame). If L — > R 
is the rule deca(enca(zi, pub(^2), 23), priv(z2)) — > then q might be 1 or 1 • 2. The 
case q = 1 is similar with the previous one. If q = 1-2 then we have a term in a 
having enca(W, s) as subterm for some W (otherwise s would be deducible). But 
this again contradicts the definition of extended well-formed frames. The analysis 
for the other rules is similar. 

(2) Let T x = (Ua\ p )\ Pl and T 2 = (Ua\ p )\ P2 . We have T x + T 2 , but Tx[ M / s } = T 2 [ M / S ]. 
Consider an arbitrary position q s of s in T\. Since U is public, there is a variable 
y € V(U) at position say p y such that p y < p ■ p\ ■ q s . Consider the lowest agent 
encryption q enc plaintext-above q s in Ucr. It occurs in ya according to the definition 
of extended well-formed frames. Suppose that p ■ p\ > g enc . The function symbols 
between g enc and p ■ p% must be () or sign. But this doesn't hold for none of rules 
in TZe- Hence there is an agent encryption plaintext-above q s in T\. The same 
argument applies to T 2 ■ We can thus use Point [3] of Corollary 12.81 to T\ and T 2 and 
obtain a contradiction, that is T\ = T 2 . 

We have seen that the two cases lead to contradictions. So there is #0 such that Ua\ p = L0q. 

□ 

Appendix B. Proof of Lemma 13.11 

Lemma B.l. Let P be a closed plain process, and A be a closed extended process such 
that P =>* A. There are I > 0, an extended process B = vn.o\\PB, where Pb is some 
plain process, and 9 a substitution public w.r.t. n such that: A = B , n C bn(P), for every 
operand of a test or an output M of Pb there is a message Mq in P (an operand of a test 
or an output respectively), such that M = MqOcti, and, <7j = <7j_i U { Mz6xUx ~ 1 /y i } is a ground 
substitution, for all 1 < i < I, where Mi is an output in P, 6% is a substitution public w.r.t. 
n and a$ is the empty substitution. 

Proof. We provide an inductive and constructive proof. We reason by induction on the 
number of reductions in P A. 
The base case is evident. 

Assume that P A^ and that there are I, B\ and 9 as in the statement of the lemma. 
Suppose that Ai Ai + \ and consider the reduction rule that was used: 
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• If it is an internal reduction then, since static equivalence is closed by structural 
equivalence and by internal reduction (see Lemma 1 in pQ ) , it is sufficient to consider 
as searched values the same as for A\. 

• If it is a labeled reduction then we prove the following property: a ^ c(x) (for any a 
and x) and there is an extended process P;+i = i^(P/ + i)|Pz + i such that Bi + \ = Ai + i 
and 

— if a = ux.c{x) then P i+1 = P and <p(Bj+i) = vn.o k +i, where a k +i = o- k U{ M '/ x } 
and Mi is an output in P/. 

— if a = c(M) then ip(Bi + \) = ip(Bi) and for every message (an operand of a 
test or an output) M; +1 in P; +1 there is a message (an operand of a test or an 
output, respectively) Mi in Pi, such that Mj+i = MiO'ak, for some substitution 
9' public w.r.t. vn. 

— if a = c(n) or a = vn.c(n) then P + i = Pj, and <^(i?/ + i) = tp(Bi) or ^(Pj + i) = 
^{n}\{n}.cj/ c , respectively. 

It is easy to see that this property is sufficient to prove the inductive step. 

The property can be verified, by showing, using induction on the shape of the 
derivation tree, that for any extended processes A',A",B' such that A' A A", 
A' = B', B' = vn.a\Q there is B" such that A" = B" and B' = vn' .a'\Q' where 

— if a = c(M) then n' = n, a' = a and N" = N'{ M / X } for each term N" of B" 
where N' is the corresponding term in B' and c(x) is an input in B'; 

— if a = vx.c(x) then Q' = Q,n' = n, and a' = aU { M / x } where c(M) is an input 
in B'; 

— if a = c(x), a = c(n) or a = vn.c{n) then n' = n for the first two cases, and 
{n'} = {n}\{n} for the third one, a' = a and Q' = Q. 

□ 



Appendix C. Proof of lemmas I3T41 and [3751 

In what follows we usually simply write M, Ait, Mo, T^o, £■ instead of respectively 
M(P), Mt(P), Mo(P), V (P), £(P), etc. 

We also define the partial subtraction function — : N?j_ x N*j_ — > as follows: p — q = r 
if p = q ■ r and p — q =_L otherwise. 

Let U and V be two terms. We define Pos(£7, V) = {p G Pos(C7) | U\ p = V}. 

Observe that for the rewriting system corresponding to equational theory E, there is at 
most one rule that can be applied and for each rule R — > L, there is exactly one occurrence 
of R in L. 

We denote by U -> 9 V the reduction U -> V such that U\ q = L9 and V = U[R9] q , 
where q is a position in U, L — > R is a rule in TZe, and 6 is a substitution. Let p be a position 
in U. We define a partial function par 1 (C/,p, g) that computes, when U ^ q V, the position 
after one rewriting of a function symbol at position p in J7. In particular, if par 1 (C/,p, g) 
then U\ p = Vlpar (j7 )P Formally, we define the function par x : T x N!j_ x ff| as 

follows: 

p', if C/ ->i V 
_L, otherwise, 



pari(C/,p, <?) 
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where 

( P, if P It Q, 

p' = < -L, if P > Q A p ^ q ■ q r , 

, q-ijp-q- q r ), ^P>q-q r , 
and L — > i? is the rule that was applied and q r is the position of R in L. 

Similarly, the function par (U,p) computes the position after rewriting in U[. The 
function par: T x is formally defined by par(f7, p) = p^ where U — > 91 ■ ■ ■ — > qk U^, 

Uk = Ui, pi = par 1 (C/,pi_i, qi), for 1 < i < k and po = p. Due to the particular form of 
our equational theory, the choice of the rewriting steps does not change the final value of 
Pk thus the definition is correct. 

The function par~ 1 (C/,p) is the inverse function: to a position p in U{ it associates the 
corresponding position in U, that is, par -1 : T x N*j_, par _1 (t r ,p) = p' if and only if 

par(J7,p / ) = p. 

We say that a function symbol at position p is consumed in V w.r.t. the reduction 
U — > q V if par 1 (C/,p, q) is undefined. Similarly, we say that a function symbol at position p 
is consumed in U[ w.r.t. the normal form U\. if par (U,p) is undefined. We say simply that 
an occurrence is consumed in some term when it is clear from the context which definition 
is used. 



Lemma C.l. Let P be a well-formed process with no test over s and (p = vn.cr be a 
valid frame w.r.t. P such that ip Y- s. Consider the corresponding standard frame vn.a = 
i / n.{ Ui / Vi | 1 < i < I}. For every i and every occurrence q s of s in Uii, we have f e (Uil, qs) = 
E[ w / X ] for some E € £ (P) and some term W. In addition vn.Oi\ is an extended well-formed 
frame w.r.t. s. 



Proof. We write the standard frame o 7 as in the statement of Lemma 13. 1\ that is f7, = 
Mj0jO"j_i for all 1 < i < I with Mj an output in P, 9i a public substitution w.r.t s and 
<7j = (7j_x U { Ui / Vi }, o~o being the empty substitution. We reason by induction on i. 

Base case: i = 1. We have that U\ = M\6i. Then U\[ = Mi(6\l) since there are 
no destructors in the output M\. Hence any position q s of s is in fact a position in M\ 
since s cannot appear in Q\ because s is restricted and 9 is a public substitution. There 
must an encryption above q s in M\ (that is a position q enc -1 < q s ), since otherwise s 
would be deducible (the same argument as in Lemma 12.51 applies). Then the result follows 
immediately from the definition of £$ (take W = s) and the properties of well-formed 
processes. 

Inductive step. Let p s = par _1 ([/j, q s ). 

If p s € Pos(Mj) then, as in the previous paragraph, f e (Uil,q s )[ x / s ] £ £q. 

Otherwise, since Qi is public, p s £ Pos(Mj#). It follows that there are z £ V(Mj) 
and yi t £ V(Mj^) at positions p z and p yi respectively, such that p z < p yi < p s and 
1 < ii < i — 1. Let p\ = p s —Pyi and ql = par(C/j 1 ,pl). By induction hypothesis, o~i-\ is an 
extended well-formed frame and / e (^iiJ.)9s) = -^[^/x] with E € £\, for some term W and 
some I > 0. It follows from the definition of extended well-formed frames that in yxa^ there 
is an encryption above ql, that is ql nc = max{ q £ Pos([/j 1 |) \ q < ql A ^-((7i 1 |)|q = enc g } 
exists. Let pl„ c = par' 1 (U^ , ql nc ) . 

If p yi -Penc i s no f consumed in Ui[ then par(Ui,p yi -pl nc ) is the lowest encryption in Ui[ 
above ql (since it corresponds to ql nc ). It follows that f e (Uii,q s ) = f e (Uhii Ql)- 



28 



V. CORTIER, M. RUSINOWITCH, AND E. ZALINESCU 



Otherwise, that is if p yi ■ p\ nc is consumed in Uil, consider the occurrence of dec g 
in Ui, say pdec, that consumes it. Since p\ nc is not consumed w.r.t. Ui 1 l it follows that 
Pdec G Pos(Mj6*j), and all encryptions above p\ nc in are consumed in Uil. If Pdec is 
in z9i (that is, p^ec £ Pos nv (Mj)) then all encryptions above p\ nc in are consumed by 
decryptions that are in zOi. This means that in (z#j<7j_i)J. there is no encryption above s 
and thus <p h s. Hence pdec is in Mj (that is, pdec € Pos nv (Mj)). 

Let U,V,K,K' and i? be terms such that dec g (f7, K) = f7i| Pdec and enc g (V, K', R) = 
Ui \ p , p i nc = ^iil p i nc - We have that K =e K' since pdec consumes • Penc- We then have 
dec g (V,lQ ^* decg(enc g (y, K, R),K) ->* V{. 

Let (D,p) = fd p (Mi,p z ) and write it as D = D%(. . . D n ) where Dj = tt j (dec g (zQ, Kj)) 
with 1 < j < n and consider Dk such that the decryption j>dec is that of D^- Clearly 
x G h\{Dj{E){). From the first condition of processes that do not test over s we have 
that j = 1 and E jt st D±. Since p<i ec consumes p yi ■ pg nc , above p^ec i n D\ there are only 
projections, below enc g in E there are only pairs and E jt s t D\ it follows that D\ < s t E. 
Hence D\ G £\. 

Suppose that there is no encryption above ^ec i n M^. Then since D\ is consumed 
and above D\ in Mi there are only pairs or signatures, it follows that s is deducible from 
crj (more exactly from Uil). Thus there is at least one encryption above pdec i n M{. Let 
(M',p enc ) = f ep (Mi, Pz ). Then M'[x] p G £ l+1 . 

Since p enc is not consumed in Uil an d in M' all function symbols above p are not 
destructors we have that f e (Ui,p s ) (M'[x] p )[x — > Di(/ e (enc g (V, K' , R),p' s ))] where p' s = 
pi -pl c . Hence f e (Uil,q B ) = (M'[x] p )[ w '/ X ], where W = D 1 (f e (enc g (V, K', R),p' s ))l- That 
is we have the first part of the lemma. 

In order to prove that a I is an extended well- formed frame we just need show that 
M'[xL and W contain only pairs and signatures (except for the head of M'[xL which is 
an encryption); obviously all agent encryptions are probabilistic encryption, either by the 
definition of well-formed process or by induction hypothesis. From the definition of M' all 
function symbols (except for the head) in M'[x] p are pairs and signatures. And since 
is an extended well-formed frame and the term W' is a subterm of f e (enc g (yi,K' ,R),q' s ) 
which (except for the head) contains only pairs as function symbols and signatures by 
definition of f e . □ 

Claim. Let P be a well-formed process with no test over s, <p = vn.a be a valid frame 
w.r.t. P such that ip Y- s, T G Mt(P) be an operand of a test and 9 be a public substitution. 
If T ^ A^f then for any occurrence q s of s in (TO a) I there is an encryption q enc plaintext- 
above it such that this encryption is an agent encryption w.r.t. n\{s}, is a probabilistic 
encryption w.r.t. ran(cr) and h(r0 CT )l\ q 6 {()>sign}, for all positions q with q enc < q < q s . 

Proof. Suppose that T ^ A4f and consider an occurrence q s of s in (T0a)l. Hence T is not 
ground and denote by z the variable of T and by p z its position. Let T z = (z6a)l. 

Let a = { Ul /yn ■ ■ ■ ■> Ul /y l ] be the standard frame w.r.t. A (where ip = <p(A) for some 
extended process A). Let p s = par -1 (T#cf, q s ). Let y% be the variable of zQ on the path 
to p s at position say p y , with 1 < i < I. Applying Lemma 13.41 to Ui we obtain that 
fe(Uil,q e ) = E[ / x ] with E G S(P), for some term W. Consider the lowest encryption q enc 
in Uil above q' s , where q' s is the position in Uil of q s - 

Suppose that this encryption is consumed. Then it must be consumed by a dec g from 
T since otherwise s would be deducible. It follows that there is 1 < j < I such that 
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Dj = 7^(dec(z 0j ir)), where f d {T,p z ) = D x (...D n ), E = enc(U,K,R) and x £ Di(E)[ 
for some terms U, K and R. Thus T £ -Mf, but this contradicts the hypothesis. Hence 
g^nc is n °t consumed in (T#<t)J,. Since vn.a\ is an extended well-formed frame (again from 
Lemma l3.4p then the encryption q enc clearly satisfies the hypothesis. □ 

Lemma C.2. Let P be a well-formed process with no test over s, tp = vn.a a valid frame 
for P such that (p^ s, 9 a public substitution and M a public ground term. lfT\ = T2 is a 
test in P, then TxOo-[ M / s ] = E T 2 9a[ M / s ] implies T x 9o = E T 2 9a. 

Proof. Ti0(j[ M / s ] = E T 2 ea[ M / s ] rewrites in (Ti0a[ M / B ])l = {T 2 9a[ M '/ s ])[. Since the rewrite 
system K E is convergent, it follows that ((T^ct)! [ m / s })[ = {{T 2 9a)[ [ M / s })[- 

Suppose first that Ti,T 2 Mt- Then from the claim above any occurrence of s there 
are no destructors, hence {T\9a)l[ M / s ] is already in normal form. The same thing holds for 
T 2 . Thus (Ti9a)i[ M / s ] = (T 2 9a)l[ M / s ]. The previous claim also ensures that in [T\9a)[ and 
{T 2 9a)[ there is an agent probabilistic encryption above each occurrence of s. Hence we 
can apply Lemma I27T1 and obtain that (Ti9o)\, = (T 2 9a)[, that is T\9a =e T 2 9a. 

Suppose now that T% € A4f . Then T 2 = n where n is a restricted name. The name n is 
a subterm of {T\9a[ M / s ])[ appearing at a position p in Ti9a[ M / s ]. Since M is public, while 
T 2 is restricted it follows n is not a subterm of M, that is there is no occurrence q s of s in 
T\9o~ such that q s < p. Then ((Ti0a)|[ M / s ]H = {T x ea)[[ M / s ]. Hence (Ti0<t)| = n. 

If the test is check(T, T', K) = ok then T9a[ M / s ] = E retrieve(T')6la[ M /s]- Applying the 
lemma for the test T = E retrieve(T') we obtain that T9a = E retr\eve(T')9o~. Since the keys 
are ground then it follows that check(T, T' , K)9a = E ok. □ 
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